This chapter introduces these key information security principles and concepts, showing how the best security specialists combine their practical knowledge of computers and networks with general theories about security, technology, and human nature.

This chapter is from the book

After reading this chapter and completing the exercises, you will be able to do the following:

Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles apply to real-life situations

Distinguish among the three main security goals

Learn how to design and apply the principle of defense in depth

Comprehend human vulnerabilities in security systems to better design solutions to counter them

Explain the difference between functional requirements and assurance requirements

Comprehend the fallacy of security through obscurity to avoid using it as a measure of security

Comprehend the importance of risk-analysis and risk-management tools and techniques for balancing the needs of business

Determine which side of the open disclosure debate you would take

Introduction

Many of the topics information technology students study in school carry directly from the classroom to the workplace. For example, new programming and systems analysis and design skills can often be applied on new systems-development projects as companies espouse cloud computing and mobile infrastructures that access internal systems.

Security is a little different. Although their technical skills are certainly important, the best security specialists combine their practical knowledge of computers and networks with general theories about security, technology, and human nature. These concepts, some borrowed from other fields, such as military defense, often take years of (sometimes painful) professional experience to learn. With a conceptual and principled view of information security, you can analyze a security need in the right frame of reference or context so you can balance the needs of permitting access against the risk of allowing such access. No two systems or situations are identical, and no cookbooks can specify how to solve certain security problems. Instead, you must rely on principle-based analysis and decision making.